I’m sorry, but were you actually trying to remember your comical passwords?

15 August 2011

I love a good XKCD comic; Randall Munroe has a unique way of cutting right to the crux of technology issues and always doing it in a humorous fashion. Little Bobby Tables remains an all-time classic and it’s amazing how many times you’ll see it quoted in security discussions – it’s now well and truly embedded in pop culture (well, at least in the little app-sec corner of the world).

Last week’s password strength comic was no exception; very funny stuff about the pain people will go to in order to create a strong password which they’ll ultimately forget. Anyway, the crux of the comic was this piece about using four random words as a way of creating a password that is both memorable and strong:

It goes on to calculate the bits of entropy in this password versus shorter versions using(unmemorable) character substitutions and concludes that:

Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

Bravo, but there’s a bit more to it than that…

Stop here if you’re a savant, otherwise read on

The issue is simply this: you can’t apply that approach consistently (if at all, in some cases) and uniquely across all your accounts and remember what on earth they are and which sites they belong to. In fact you’re really back at the conclusion in the first part of the strip with the character substitution password where Randall concludes “Difficulty to remember: hard”.

Often when I write about password management I get a whole lot of comments about how someone has the perfect system. These have included:

And that’s just the comments directly on my blog from one post. The patterns repeat themselves across other posts and then across the likes of Reddit and Hacker News.

It’s funny how often these turn up (often multiple times in comments on the one post), and how frequently the author thinks they’ve struck on something truly innovative and unique. I’ve even been asked to quote one of these “innovators” if I reproduced the password technique in other writing!

The problems with the suggestions above are numerous:

Many sites limit password character length to small sizes.

Many sites also limit character range – sometimes they’ll only allow digits.

Sometimes you have multiple accounts for one website.

Sometimes you need to change the password on a website (i.e. after a breach).

But the mother of all problems, the one which trumps all the others hands down, is that you simply can’t remember any of these practices consistently and uniquely across all your accounts. Consequently, it means the people following these approaches are either savants or they’re reusing passwords (normally when this is pointed out the discussion goes a bit quiet). Let me demonstrate the scale of the problem for the internet user in today’s age.

Counting accounts

What makes this whole password shenanigan difficult is that it’s not just one password we need in our online world, its many, many, many passwords. Yes, OAuth or OpenID across everything would be nice but other than the inherent problems they pose, there’s just no way your average bank is willing to hand over something as critical as authentication or authorisation to another party.

Now I’m probably not your average online user by virtue of the industry I work in, but let me try and illustrate the scale of the problem by talking about the accounts I have. This is based on what I have configured in 1Password – one of the leaders in password management software – where I’ve created half a dozen folders I categorise my accounts into:

Going back to the original XKCD comic, we need to follow the pattern below and generate unique passwords for every account:

Firstly, I have to apply this principle across my banking – this is absolutely, positively not an area to be taking shortcuts on so I’ll need eight sets of words:

Why so many banking logins? Savings accounts, couple of credit cards, property finance, PayPal then some of my wife’s accounts as well which, incidentally, are often with the same institutions. Oh, and my Amex password is limited to 16 characters so I can’t apply the principle anyway. Oh crap, there’s also my St. George bank account and that’s only 12 characters. Uh oh, there’s also IMB who’ll only take digits so now I’ve got another problem. At least it’s only eight accounts!

Let’s move on to shopping accounts and given these can have a direct financial impact on me, I kind of want to look after them pretty well so I’ll need a dozen more four word combinations:

This probably isn’t that many accounts compared to serious online shoppers but still, stuff like eBay is pretty important to me, plus of course most of these have all my billing details on file so they’ll track me down if someone starts buying stuff on my behalf.

It’s a little bit the same with my accounts related to entertainment; misuse of these can screw with me financially so I’m going to be careful with them which means I need another fourteen combinations:

Many of these have my credit card on file not to mention the fact that it can make life pretty painful if the account details fall into the wrong hands. Scott Hanselman’s recent iTunes experience is an example of this and that’s one of the accounts I need to protect. Now add in other stores where I’ve purchased music, played games or ordered tickets online and the numbers start stacking up pretty quickly.

Then there are the airlines and their reward programs. I don’t really want people seeing where I’ve been flying to and I particularly don’t want them booking any flights on my behalf with my hard-earned frequent flyer points so let’s create another half dozen unique passwords for them:

Oh, and almost without exception airlines will only let you create passwords with four or six digits so throw out any password strategy which doesn’t let you do this.

Then there are the online forums of which I seem to have accumulated quite a few. These are often pretty loosely put together apps and I know many of them are storing plain text passwords (just try the password reminder feature), so I’ll need another twenty two unique passwords please:

Some of these aren’t particularly significant to me, but in many cases they’re a small – albeit important – part of my online identity. I’ve obviously spent a lot of time in technology based discussions, but also in other places talking about cars, real estate and even coffee where I don’t want someone jumping in and reading my private messages or impersonating me and potentially messing up the work I’ve put into my online persona. I know that many people espouse “throwaway accounts” where they don’t care about the security but my online identity is important to me and I don’t want someone jumping up and being obnoxious (or worse), using my name, email, possibly photo and other online attributes.

But possibly one of the most vulnerable – or at least “important” categories of account I have are the social media ones of which I’ve accumulated another eighteen accounts:

These accounts include information on everything from the conversations I’ve had with my wife to my kid’s photos to my Twitter identity. It’s really important stuff to me and it’s possibly the accounts I most want protected, in some cases it’s on a par with things like banking (which generally have pretty good fraud protection these days). There’s a few accounts in there I really don’t use (never could get into foursquare), but again, I still don’t want other people messing with them and gaining access to personal data.

Finally, there’s everything else that doesn’t fit neatly into a category so that’ll be another fifty unique passwords to remember please:

Why so many and what on earth is in there? Everything from email to FedEx package tracking to RescueTime to Dropbox and Mozy backups to the formula1.com account I needed to be able to use the iPhone app. Heaps of stuff I care deeply about, other stuff I care less about but still, that’s a whole lot of passwords.

So in total, I’m tracking one hundred and thirty accounts. Very few people will read this and have less than 30 accounts, even if you can’t think of them all off the top of your head right now (can you really remember every account you’ve ever created?) Be honest, add them all up and see what you get to, even the ones you don’t use that often. And if you don’t have 30 accounts now, just how long will it be until you do? Having recently gone through the password management exercise with my father in his 60s and not coming from a technology background, I know that at worst, any regular online user will almost certainly have more accounts than they can count on their fingers and toes and definitely more than they can apply their memory to.

The point of all this is to graphically illustrate the volume of online accounts we inevitably accumulate and that memory based password management doesn’t work. There are always exceptions, be they with sites with overly restrictive password rules, instances of multiple accounts per site or when you simply want to change a password. It’s simply infeasible.

It’s not about memory; it’s about the ability to retrieve

A lot of the problem with passwords seems to stem from folks thinking they need to be able to remember their passwords. Who on earth ever gave them this idea?! The concept is flawed by design; memorable is the antithesis to secure.

Of course there are a very small number of accounts you do need to remember; the master password on my 1Password account, for example. The password on my PC which I enter directly many times per day is another example and in both cases, I simply can’t create the entropy I do for my online accounts using a password manager. But then again, these don’t have the same exposure and risk profile as online accounts, although what they both protect is rather valuable.

In case it’s not already clear, my argument isn’t at all against the security of the comic’s mechanism in and of itself, even though Randall is kind enough to add a little alt text disclaimer for those who may not be happy with it:

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

No, my argument is simply that you can’t apply this mechanism – or any human memory-bound mechanism – consistently and uniquely. This is a rather big problem for both security and usability.

When the discussion switches from memory to retrieval, it’s suddenly a whole different ball game. All the elaborate but flawed plans designed to create passwords that make sense to humans can go out the window and we can start focussing on the password schemes which make sense to computer security. Naturally, usability is an essential consideration as without this you begin to compromise the core objective of secure password management. This is why the likes of 1Password make both password management and password usage easy – certainly much easier than trying to stretch your memory muscle into doing inconceivable things.

Bottom line: Stop the crazy talk and get with the (password management) program

It’s amazing how fast news about something people want to hear travels. It was only a few months back that people were basking in the euphoria that all they needed for a password was something akin to “this is fun”. That was quickly debunked by myself among others working in the security field but it still got a lot of airtime and no doubt caused many people to make foolish decisions. This is no more than the Atkin’s Diet of password management (who’d have thought bad password advice would have come from a fashion designer turned social media pundit?!)

And now we’re going through the cycle again following the XKCD comic. There’s already simplestrongpasswordgenerator.com which appears to have sprung up in direct response to the cartoon, certainly it references the original work in the “Why is this a great password” link. But if you really want to see how quickly people are buying into this tactic, just check out the tweets referring to the URL. Lots of excitement out there.

As I said via Twitter yesterday after seeing the comic, “When your entire rationale for a password strategy is dependent on one comic, you're probably missing something”. Mind you, if you read the right material you’ll find suggestions that this approach needs to be done in unison with a password manger (that sort of defies the point of a “memorable” password anyway), or as the master password of a password manager. Somehow that small but critical detail doesn’t really come through in the comic.

There’s more than enough evidence out there to suggest that people are consistently choosing bad passwords and reusing them (the last two links at the bottom of this post are good examples). It’s been a very active year for publicity about website hacks and those who haven’t employed good password practices have often come unstuck not just on the breached website, but on subsequent sites where reuse has occurred. Unfortunately, if you follow “fun” advice or take your comics too seriously, there’s a good chance you’ll fall to one of these hacks sooner or later. And that’s no fun at all.